The Department of Justice has updated its stance on a contentious rule to promote greater activity from security researchers, also known as white-hat hackers, who can identify cybersecurity flaws and inform authorities to fix them before attackers do.
Following the department’s prosecution of Aaron Schwartz, the legislation in question—the Computer Fraud and Abuse Act, or CFAA—became well-known in the vulnerability disclosure community.
Schwarz, a Harvard University research fellow, was fined $1 million and sentenced to 50 years in jail for stealing information from JSTOR, an academic journal’s digital repository.
Schwartz, who was credited with helping to build RSS feeds, co-founding Reddit, and openly sharing millions of papers from the pay-walled Public Access to Court Electronic Records system, died of an apparent suicide in 2013 after more than a year of negotiating with federal prosecutors.
In the news, the federal prosecutor who brought the charges was seen as a villain, and the case contributed considerably to what some have described as a chilling effect on crucial security research due to the overzealous application of the law. Hackers are hesitant to reveal bugs discovered when gaining unauthorized access to government networks.
The government has made a solid effort to involve the security research community in recent years, enforcing authorized vulnerability disclosure procedures at federal agencies and, in some circumstances, proactively paying hackers through bug bounty programs. However, the CFAA remains a matter of contention.
In a press release announcing the guidance on Thursday, Deputy Attorney General Lisa O. Monaco said, “Computer security research is a crucial driver of improved cybersecurity.” “The Department of Justice has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement enhances cyber-security by giving clarity for good-faith security researchers who seek out vulnerabilities for the greater benefit.”
Other ways the department expects to prioritize its resources in implementing the CFAA were also addressed in the entire policy update provided by Justice.
Further Reading: Think Of These Top 7 Common Security Threats For Enterprise App Development
For the latest technological insights and news from our team, visit – News insights and technology updates
News Source: nextgov